Stirling-PDF Arbitrary File Write Vulnerability via Path Traversal in ZIP Extraction

A path traversal vulnerability allowing arbitrary file write has been identified in Stirling-PDF versions prior to 2.5.2. The issue arises in the '/api/v1/convert/markdown/pdf' endpoint, where user-supplied ZIP entries are extracted without proper path validation. This flaw enables authenticated users to write files outside the designated temporary directory, using the privileges of the Stirling-PDF process user, 'stirlingpdfuser'. The vulnerability can overwrite existing writable files, compromising data integrity, with potential consequences depending on the specific paths involved.

Impact

Exploitation of this vulnerability allows authenticated users to write files controlled by the attacker outside the intended temporary directory, potentially overwriting existing files and disrupting data integrity. The impact is compounded by the fact that the arbitrary file write occurs with the same privileges as the Stirling-PDF process user, 'stirlingpdfuser'.

Reproduction

To reproduce this vulnerability, log in as an authenticated user and obtain an access token. Then, create a malicious ZIP file containing a Markdown file and a ZIP entry designed to exploit the path traversal vulnerability by writing outside the temporary directory. Upload this ZIP file through the '/api/v1/convert/markdown/pdf' endpoint. After the upload, verify if the file has been written outside the temporary directory, which would indicate successful exploitation.

Remediation

Users are advised to update to Stirling-PDF version 2.5.2 or later, where this vulnerability has been patched.